The good news, said a JP Morgan Chase Bank official soon after it filed a regulatory report last week about a data breach, is that it appeared that no sensitive customer data had been compromised

The bad news was the breach lasted several months and affected 76 million households and 7 million small businesses. Gigabytes of data — names, addresses, phone numbers and email addresses — apparently were sucked out of the bank’s servers and likely were gathered at a data center somewhere in Russia, according to Bloomberg News.

JP Morgan Chase is this country’s largest bank. You might think that cyber thieves direct all their efforts at the big guys. You might be wrong.

Smaller investment companies may not be very concerned about cybersecurity, perhaps thinking that they are too small for crooks to bother with. One industry observer says that portion of the finance industry could amount to so much “low-hanging fruit” for cyber criminals.

The North American Securities Administrators Association recently ran a pilot study of nine states, including Maine. The study looked at 440 registered investment advisers that manage assets of less than $100 million.

Of those small and medium-sized firms, 4.1 percent reported having experienced a data breach. Some 1.1 percent reported having “theft, loss, unauthorized exposure, or unauthorized use of or access to confidential information.”

Critics say those numbers don’t tell the whole story. Smaller firms with less than state-of-the-art cybersecurity may not know whether their systems have been breached, let alone whether any data have been lost. The survey also showed that more than one-third of the responding firms did not test for threats or security gaps; more than 60 percent don’t have training programs, policies or procedures to detect unauthorized access to data.

The record is better in Maine than in some other states in the survey, according to Judith M. Shaw, Maine’s securities administrator. Shaw said the survey is giving regulators a baseline from which to formulate policies that will help the investment industry as a whole.

“I couldn’t tell you that we have those best practices and policies in place now,” Shaw said. But she added that her staff members visit investment firms large and small and make suggestions when they find security issues that need addressing.

“And they implement our recommendations right away,” Shaw added.

In other states, owners of some investment firms say they don’t manage money, only offer advice; for that reason, they may feel that cybersecurity is less of an issue for them. Shaw says investment firms in Maine “are very attuned to the fact that, whether they are handling assets or not, they need to be vigilant.”

Shaw says consumers should ask the investment pros who handle their money some hard questions, such as these:

— Are you using systems that are protected appropriately?

— What do you do to protect the data that you have?

— Are there appropriate layers of verification for those accessing data?

Shaw says people may hesitate to ask tough questions of people they consider professionals. However, she says these types of questions need to be asked and answered.

The NASAA plans to continue the study with an eye toward recommending practices to improve security. To that end it expects to “engage in additional conversation with industry.”